针对等级保护工作中应用系统面临的典型安全问题,设计并实现了应用安全支撑平台.该平台以可信计算为基础,最小权限为原则,利用应用环境中资源与进程的映射,构建可信域与非可信域,限制了应用安全漏洞能够影响的范围,实现了应用间信息流的安全隔离.利用应用安全封装机制,在系统内核层对来自上层应用的信息流加以分析和判决,确保了安全机制的通用性与不可旁路性.%The typical security problems of application systems in classified protection work is analyzed, and then the application security supportive platform is designed. The platform is based on trusted computing technology and least privilege principle, divides resources in application environment into several parts mapping to specific processes, and then sets up trusted and untrusted domains, so that the influence of application system vulnerabilities could be confined and the information flow from different application systems could be isolated. The platform also utilizes the technology called application security encapsulation in system kernel to analyze and judge the information flow from application layer, so that the generalization security mechanism can be guaranteed and cannot be bypassed.
展开▼
